2019-03-15 - MALSPAM PUSHES LOKIBOT

ASSOCIATED FILES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic related to this malware, I suggest the following URL:

 

MALSPAM EXAMPLE


Shown above:  Screenshot from the malspam.

 

HEADERS FROM TODAY'S LOKIBOT MALSPAM EXAMPLE

Authentication-Results: [removed]; iprev=pass policy.iprev="165.227.181.253"; spf=softfail smtp.mailfrom="hongwoo@gmail.com" smtp.helo="centos-s-2vcpu-4gb-nyc3-03"; dkim=none (message not signed) header.d=none; dmarc=fail (p=none; dis=none) header.from=gmail.com
Received: from [165.227.181.253] ([165.227.181.253:41356] helo=centos-s-2vcpu-4gb-nyc3-03)
        by
[removed] (envelope-from <hongwoo@gmail.com>) [removed];
        Thu, 14 Mar 2019 21:42:49 -0400
Received: from [102.165.35.45] (helo=User)
        by centos-s-2vcpu-4gb-nyc3-03 with esmtpa (Exim 4.91)
        (envelope-from <hongwoo@gmail.com>)
        id 1h4bkR-00031v-Qc; Fri, 15 Mar 2019 01:35:01 +0000
Reply-To: <allen.youfasteelpipe@gmail.com>
From: "Mr. Hong Woo"<hongwoo@gmail.com>
Subject: INV 3326GHF- from Outriger General Importers Korea for acknowledgment
Date: Fri, 15 Mar 2019 01:34 UTC
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_00D1_01C2A9A6.71AA6BD8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1h4bkR-00031v-Qc@centos-s-2vcpu-4gb-nyc3-03>

 

MALWARE


Shown above:  Lokibot malware extracted from the attached zip archive.

 


Shown above:  Lokibot malware persistent on an infected Windows host.

 

MALWARE FROM AN INFECTION:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  TCP stream of the first HTTP request caused by this Lokibot sample.

 

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.